[Firewall] Netfilter marks and policy routing blues

Lists lists at aewne.net
Wed Feb 11 20:51:22 CET 2015

Hello everyone,

Does anyone here have any experience with having netfilter mark packets 
to determine which route they should take?

A while back I was trying my hand at throwing together a script to use 
with OpenVPN in order to mark some packets that should be routed over 
the VPN interface of my gateway instead of the internet facing one. This 
was done with a combination of marking traffic to certain hosts as well 
as using some xtables modules to do some layer 7 filtering. Some other 
pressing matters came up and I didn't have time to continue work on it 
until now. It's somewhat working, but I've run into an issue I can't 
quite wrap my head around.

Below are the relevant portions of it.

sysctl -w net.ipv4.conf.${VPN_IF}.rp_filter=2

First, restore any and all marks on the connection:
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

The script loops a bunch of times to resolve DNS A records to to IPs, 
and then applies a rule like this:
iptables -t mangle -A PREROUTING -d ${HOST} -j MARK --set-mark ${MARK}

Then as a test I've been experimenting with the ndpi-netfilter package 
to do application layer filtering like:
iptables -t mangle -A PREROUTING -m ndpi --rsync -j MARK --set-mark 

Then connmarking the whole connection:
iptables -t mangle -A PREROUTING -m mark --mark ${MARK} -j CONNMARK 

Set up the routing table:
ip route add default via ${VPN_GW} dev ${VPN_IF} table vpn
ip route add ${LAN_SUBNET} via ${LAN_GATEWAY} dev ${LAN_IF} table vpn
ip rule add fwmark ${MARK} table vpn
ip route flush cache

For individual hosts, this piece of iptables magic works, but the layer 
7 filtering is where it gets tricky. The packets are marked, seeing as 
the counters in the ruleset increase whenever I initiate an rsync 
process on another box on the LAN. However, regardless of the marking, 
the packets are not routed out on the VPN interface.

Anyone have any ideas on what's going on here? What did I miss?

For the record I am running a 3.17.7 kernel and Arno's Iptables Firewall 
Script v2.0.1e.


More information about the Firewall mailing list